The government’s primary cybersecurity agency is missing congressional deadlines to identify and categorize its cyber workforce, a congressional watchdog said.

Cybersecurity is one of the most difficult and most pressing challenges facing the nation and government is woefully understaffed to meet this threat. The Homeland Security Department—the lead agency on cyber issues—is taking steps to fill the gap but at least one of these efforts is coming up short and taking far too long, according to the Government Accountability Office.

Having identified the workforce shortfall, in 2014 Congress passed the Homeland Security Cybersecurity Workforce Assessment Act, which required the department to identify all cybersecurity functions and assign unique employment codes to all those positions.

The department has moved to meet this requirement, “however, its actions have not been timely and complete,” GAO analysts said in a Feb. 6 report.

In August, Homeland Security officials reported to Congress that they had identified 95 percent of cybersecurity positions. However, when GAO added vacant positions—a requirement of the legislation—that number dropped to 79 percent.

“In addition, although DHS has taken steps to identify its workforce capability gaps, it has not identified or reported to the Congress on its departmentwide cybersecurity critical needs that align with specialty areas,” the report states, adding that Homeland Security has failed to report these needs to the Office of Personnel Management, as well.

“Until DHS establishes plans and timeframes for reporting on its critical needs, the department may not be able to ensure that it has the necessary cybersecurity personnel to help protect the department’s and the nation’s federal networks and critical infrastructure from cyber threats,” the report reads.

“Your report basically says DHS has missed all kinds of deadlines,” said Sen. Rob Portman, R-Ohio, addressing GAO Managing Director for Homeland Security and Justice George Scott during a Feb. 7 roundtable on the DHS Reauthorization Act. “I understand the need to help state and local [cybersecurity]. I understand the need to harden our own [cybersecurity]. But if you don’t have the personnel to do it, that makes it challenging,”

GAO recommended six actions for the homeland security secretary, all of which Homeland Security officials concurred with:

The secretary should develop procedures on how to identify and code vacant cybersecurity positions.

The secretary should identify the individual in each component who is responsible for leading that component’s efforts in identifying and coding cybersecurity positions.

The secretary should establish and implement a process to periodically review each component’s procedures for identifying component cybersecurity positions and maintaining accurate coding.

The secretary should ensure the Office of the Chief Human Capital Officer collects complete and accurate data from its components on all filled and vacant cybersecurity positions when it conducts its cybersecurity identification and coding efforts.

The secretary should develop guidance to assist DHS components in identifying their cybersecurity work categories and specialty areas of critical need that align to the NICE framework.

The secretary should develop plans with time frames to identify priority actions to report on specialty areas of critical need.

Not only did Homeland Security officials concur, but they provided plans and estimated completion dates for each.